Virtual Identity Dialogue (Comments)https://blogs.oracle.com/mwilcox/
en-usCopyright 2014Fri, 25 Jul 2014 01:57:14 +0000Apache Roller BLOGS401ORA6 (20130904125427)https://blogs.oracle.com/mwilcox/entry/updated_ovd_guide_for_managing#comment-1314012543784Re: Updated OVD Guide For Managing Oracle Database Users (Enterprise User Security) PostedguestMon, 22 Aug 2011 11:29:03 +0000your white paper link doesn't work anymore.https://blogs.oracle.com/mwilcox/entry/the_initial_oracle_and_sun_dir#comment-1279949861000Re: The Initial Oracle and Sun Directory Services UpdateMartinSat, 24 Jul 2010 05:37:41 +0000OpenDS 2.2.0 took 3 months (Oct 13th to Dec 15th 2009). OpenDS 2.3.0 (build 1 on Jan 20th) is still not released while 2.4.0 should already be there.
How many Sun/Oracle developer are working full time on this project?
Is there an updated roadmap available?
Do you recommend to switch to ApacheDS / Fedora 389 or Openldap if one needs to stay with a free LDAP server?
Thx for any clarifications!
Release list:
https://www.opends.org/wiki/page/News
Outdated Roadmap:
https://www.opends.org/wiki/page/OpenDSRoadmaphttps://blogs.oracle.com/mwilcox/entry/schema_extension_options_with#comment-1279731019000Re: Schema Extension Options with OVD-Enterprise User Security and Microsoft Active DirectoryAdrian PWed, 21 Jul 2010 16:50:19 +0000I have read and observed a procedure to isolate an AD domain controller offline when applying schema changes, but now Microsoft says that is not supported nor recommended.
http://blogs.technet.com/b/askds/archive/2010/04/16/friday-mail-sack-i-live-again-edition.aspx
So testing schema changes in non-production domains is the best practice. Of course that is true for any directory technology. :)https://blogs.oracle.com/mwilcox/entry/schema_extension_options_with#comment-1279635095000Re: Schema Extension Options with OVD-Enterprise User Security and Microsoft Active DirectoryMicheal PTue, 20 Jul 2010 14:11:35 +0000This is great!https://blogs.oracle.com/mwilcox/entry/introducing_our_new_oracle_sec#comment-1272268952000Re: Introducing our new Oracle Security Inside Out newslettermark.wilcoxMon, 26 Apr 2010 08:02:32 +0000Great idea. I've put it on my list.https://blogs.oracle.com/mwilcox/entry/introducing_our_new_oracle_sec#comment-1272267763000Re: Introducing our new Oracle Security Inside Out newsletterMartin KendallMon, 26 Apr 2010 07:42:43 +0000It would be really good to have a viewlet on Shadow Joins. The current docs are far too light.
Rgdshttps://blogs.oracle.com/mwilcox/entry/introducing_our_new_oracle_sec#comment-1272028406000Re: Introducing our new Oracle Security Inside Out newsletterChrisFri, 23 Apr 2010 13:13:26 +0000Excellent Job, Well done guys. Please continue, this is of high value. Cheers Chrishttps://blogs.oracle.com/mwilcox/entry/announcing_oracle_directory_se#comment-1266314488000Re: Announcing Oracle Directory Services PlusDeborah VolkTue, 16 Feb 2010 10:01:28 +0000Mark,
It's great to hear that customers will have a choice between OID and ODsEE.https://blogs.oracle.com/mwilcox/entry/the_initial_oracle_and_sun_dir#comment-1265395651000Re: The Initial Oracle and Sun Directory Services UpdateDaveFri, 5 Feb 2010 18:47:31 +0000Sorry, "hear" not "here" :Phttps://blogs.oracle.com/mwilcox/entry/the_initial_oracle_and_sun_dir#comment-1265395623000Re: The Initial Oracle and Sun Directory Services UpdateDaveFri, 5 Feb 2010 18:47:03 +0000Very happy to here OpenDS is going to remain open-source. Bravo Oracle!https://blogs.oracle.com/mwilcox/entry/the_initial_oracle_and_sun_dir#comment-1265175153000Re: The Initial Oracle and Sun Directory Services UpdateMike HarpendenWed, 3 Feb 2010 05:32:33 +0000Will you also be posting up any discussion or feedback so we can see what's said?https://blogs.oracle.com/mwilcox/entry/explaining_master_data_managem#comment-1265162177000Re: Explaining Master Data Management Integration with Oracle Virtual Directoryreputation managementWed, 3 Feb 2010 01:56:17 +0000All these products are today inherently tied to either customer or product data. The future success of MDM—whether vendor product or independent practice—will hinge on crossing from product and customer data to data about other business entities.https://blogs.oracle.com/mwilcox/entry/the_initial_oracle_and_sun_dir#comment-1265123688000Re: The Initial Oracle and Sun Directory Services UpdateBrad TumyTue, 2 Feb 2010 15:14:48 +0000Mark -
I haven't seen any comments yet regarding Sun's proxy server. Is there any chance that some of this functionality will get pulled into OVD or OID?
Thanks,
Bradhttps://blogs.oracle.com/mwilcox/entry/the_initial_oracle_and_sun_dir#comment-1265119424000Re: The Initial Oracle and Sun Directory Services UpdateMarkTue, 2 Feb 2010 14:03:44 +0000Quick question concerning Directory Services Manager, do you see this being extended to include the ability to connect to a Sun DSEE Directory service?https://blogs.oracle.com/mwilcox/entry/impressed_with_thunderbird_3#comment-1262606956000Re: Impressed with Thunderbird 3James DrakeMon, 4 Jan 2010 12:09:16 +0000Mark,
I agree with you on TB3 and have made the move at home (from TB2 using IMAP Google)
The only problem I find:
1, Will support support it?
2, When it will get corporate buy in?
Support always come out of IE products first (from what I see) and with our latest move to Oracle Beehive and the connector I am sure that this will be a while before someone says: "yes, we will develop the same tools going forward"
JD
https://blogs.oracle.com/mwilcox/entry/impressed_with_thunderbird_3#comment-1260821855000Re: Impressed with Thunderbird 3Ravi PintoMon, 14 Dec 2009 20:17:35 +0000Mark,
I am in 100% agreement with you. TB3 is really cool. Tabbed interface is another feature that I like.
I am waiting to see what add-ons would do to it!!!
Ravi
https://blogs.oracle.com/mwilcox/entry/thinking_on_oauth_uma_and_spml#comment-1259220644000Re: Thinking on Oauth, UMA and SPMLClark SanfordThu, 26 Nov 2009 07:30:44 +0000Continuing my previous thread of thinking about leveraging/extending existing/emerging SAML2 profiles to request additional attributes as part of a federated provisioning scenario, I found an interesting blog entry by Anil John about work his team has done along this vein:
http://www.aniltj.com/blog/2009/06/06/SAML2ProfilesForPIVSubjectsAndBackendAttributeExchange.aspx
Part of my vision for Identity Management revolves around the idea of expanding the role of a federation service to become the primary channel for externalizing identity exchange between organizations. Not that you necessarily want your federation service to DO provisioning but that any attributes/claims about a Subject from an external organization should be requested between the two organizations' federation services. People who view federation as just an extension of Authentication, especially when they view it through the lens of consumer-facing Use Case scenarios, tend to view SAML as "too heavyweight". But from an architectural perspective, when you think about federation as a collection of services for transporting identity information between security domains - NOT just SSO - you can envision how it can enable all kinds of Identity-centric features, such as "federated provisioning".
I still agree with Nishant that there are basically two scenarios and one of them needs to be as lightweight as possible, but I see no reason why SAML shouldn't be leveraged any time one party wants to request Identity information about a Subject from a different security domain.https://blogs.oracle.com/mwilcox/entry/thinking_on_oauth_uma_and_spml#comment-1259189365000Re: Thinking on Oauth, UMA and SPMLClark SanfordWed, 25 Nov 2009 22:49:25 +0000Mark,
I can validate I heard requests from SP customers when I was with Ping Identity numerous times (2006-7 time frame) asking about federated provisioning. We generally advised they could configure a redirect to their registration page in the event that a lookup to the SP account store failed but I socialized the concept of "Just-In-Time Provisioning" internally with people like David Waite and Ashish Jain. We discussed SPML but most of the customers and prospects I talked to thought that was too heavyweight.
In the scenario Nishant describes where the original Assertion doesn't contain all the attributes/claims they want for provisioning, in a SAML implementation why couldn't the SP service initiate the Assertion Query profile to retrieve the desired additional attributes from the IdP service?https://blogs.oracle.com/mwilcox/entry/great_presentation_-_what_is_g#comment-1259157795000Re: Great Presentation - What is Google Chrome OSPaul NaishWed, 25 Nov 2009 14:03:15 +0000If you like that, check out the VM image someone created of the Alpha code. See http://www.itworld.com/operating-systems/85512/take-chrome-os-test-spinhttps://blogs.oracle.com/mwilcox/entry/has_facebook_connect_trumped_t#comment-1257585304000Re: Has Facebook Connect Trumped Them All?Matt TopperSat, 7 Nov 2009 09:15:04 +0000Mark,
For the consumer market I think you are right Facebook connect seems to be winning easily. However, I believe the next generation will be moving OpenID into the enterprise. I see it in the government right now. They're searching for a federation solution that allows them to go out to sites like Facebook, Twitter, etc. and have a "Government Verified" badge display next to an authenticated user giving them a level of authority with users of the site. If he user left the government they could still maintain their accounts, but no longer would they get a "Government Verified" badge when they created new content on the relying part site. I see the on time use passwords through SMS or the Verisign phone apps becoming prevalent. With the addition of OAAM technology we'll be able to create a high level of assurance across the web. Federating the risk factors with OAAM between IP's and RP's could make it almost bulletproof without deploying physical fobs. It's definitely an exciting time for identity.
-Matthttps://blogs.oracle.com/mwilcox/entry/be_better_than_blackberry_or_t#comment-1245742755000Re: Be Better Than Blackberry (or the iPhone)Joey AsherTue, 23 Jun 2009 07:39:15 +0000Thanks for the mention Mark.
To continue, many people certainly do abuse their Blackberries and are rude to others in meetings by tapping away and not paying attention. And I know many colleagues who simply insist on starting their presentations and meetings by urging people to turn off their pagers, PDAs, and cellphones. But I think that also shows a degree of lack of confidence. If your presentation is good enough, people will ignore their pagers.
https://blogs.oracle.com/mwilcox/entry/broader_look_at_kerberos_activ#comment-1225383867000Re: Broader Look at Kerberos, Active Directory and Oracle ProductsianThu, 30 Oct 2008 16:24:27 +0000What is required is for oracle to support kerberos GSSAPI across its product range Oracle. The strategy that we are moving with is to classify any product that doesn't support key open authentication/Authorisation technologies as a legacy product. The you need to buy magic product X unfortunately doesn't cut it. Oracle will have a considerable period of time to fix its product set as there is a large installed base however new capability using Oracle now requires CIO signoff because of its poor integration record.https://blogs.oracle.com/mwilcox/entry/more_james_mcgovern_q_and_a#comment-1223534334000Re: More James McGovern Q and ACharles AndresThu, 9 Oct 2008 06:38:54 +0000One small correction: Microsoft did not start the Information Card Foundation. A community of architects and designers including the creators of the Higgins Project created the organization before inviting any corporations to join. The consensus of this community was that the visual metaphor of a digital wallet and cards shared by The Higgins Project (which included open source components contributed by engineers from Parity, Novell, Oracle, and IBM) Microsoft CardSpace, and other researchers, is the best way to present controls for identity and personal information to the widest possible user base. The merger of these efforts along with other components that can benefit from standards protocols now underway at OASIS, makes ICF a common effort by many forward-thinking companies who want to make the Internet a safer and simpler environment for all transactions. The decision by Microsoft to join the ICF was a great step for the industry to advance toward a common unified way for users to wield trusted verified claims.https://blogs.oracle.com/mwilcox/entry/reply_to_james_if_he_was_us_ci#comment-1223198784000Re: Reply to James if he was US CIOJamesSun, 5 Oct 2008 09:26:24 +0000Maybe you could share on your next posting exactly how allowing closed source Oracle databases on the Amazon grid is open source?
Likewise, there is a difference between open source and open specifications. Are you willing to say that all reference code will be of production quality?
Sun has open sourced LDAP. Would you as a product manager advocate the same for virtual directories?
OK, Kim Cameron of MS paid for implementations of Cardspace on other platforms in which MS is simply attempting to improve the ecosystem and won't make a cent off it. In many ways it actually competes with its own offerings. What is the Oracle equivalent?https://blogs.oracle.com/mwilcox/entry/managing_relationships_and_ent#comment-1222689377000Re: Managing Relationships and Entitlements with LDAPJamesMon, 29 Sep 2008 11:56:17 +0000I agree with Pamela Dingle that the data model of cardspace and how it can be persisted is vital. Would love for this to be your next blog entry.https://blogs.oracle.com/mwilcox/entry/clarifying_eus_and_kerberos#comment-1220376958000Re: Clarifying EUS and KerberosDan NorrisTue, 2 Sep 2008 17:35:58 +0000I'm glad to hear you're getting questions about this from the wild. I'm doing a session on integrating OID, AD, and EUS for database logins at OOW in a few weeks. Maybe I'll see you there? I think it's scheduled for mid-day on Thursday. Officially, the content builder says that it is full and there's a short waiting list when I last looked. Hopefully, they'll move me to a larger room!https://blogs.oracle.com/mwilcox/entry/strong_authentication_and_risk#comment-1219214518000Re: Strong Authentication and Risk-Based Access Control Would Reduce OpenID WorriesDan NorrisWed, 20 Aug 2008 06:41:58 +0000I've been talking about OAAM since OOW 2007 when it was just acquired and I think it's a brilliant product. I can only hope that the risk analysis engine can somehow be incorporated and/or integrated with other Oracle products (like Database, App Server) more closely in the coming months/years.
My presentation and whitepaper on this product are online at http://www.dannorris.com/professional-activities/https://blogs.oracle.com/mwilcox/entry/strong_authentication_and_risk#comment-1218523135000Re: Strong Authentication and Risk-Based Access Control Would Reduce OpenID WorriesJoe SolinskyTue, 12 Aug 2008 06:38:55 +0000Mark,
Isn't this the old Sxip/ Identity 2.0 idea? You make some good highlights about DNS attacks being a vulnerability for this approach-- it removes all layers of protection. What I don't get is how adoption is going to work. The US Government produced an Identity Federation collaboration approach called eAuthentication, and it has seen growing levels of adoption, primarily because, well, it is the US Government. Maybe I'm missing something here, but how is this not the same thing as collaborative federation?https://blogs.oracle.com/mwilcox/entry/because_identity_is_more_than#comment-1216440523000Re: Because Identity Is More Than Your Username and Home DirectoryJamesSat, 19 Jul 2008 04:08:43 +0000http://duckdown.blogspot.com/2008/07/active-directory-20.htmlhttps://blogs.oracle.com/mwilcox/entry/openid_infocard_and_ldap_schem#comment-1216440433000Re: OpenID, InfoCard and LDAP SchemasJamesSat, 19 Jul 2008 04:07:13 +0000You have outlined a good perspective. How about in your next blog entry, actually showing what classes, attributes, etc need to be created and how Oracle will be working to get inetOrgPerson or whatever classes extended industry-wide in a standards based way.